projects / gpac.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9244a7e)
[PATCH] fixed #2294
authorjeanlf <jeanlf@gpac.io>
Fri, 4 Nov 2022 08:18:47 +0000 (09:18 +0100)
committerMoritz Mühlenhoff <jmm@debian.org>
Mon, 19 Jun 2023 21:46:06 +0000 (22:46 +0100)
Gbp-Pq: Name CVE-2022-45202.patch

src/isomedia/box_code_3gpp.c patch | blob | history

diff --git a/src/isomedia/box_code_3gpp.c b/src/isomedia/box_code_3gpp.c
index 9faddb2195e64c1a2259ea11620501731489c121..0e8681c4d490092c9368be8fc03d8da3a374a53a 100644 (file)
--- a/src/isomedia/box_code_3gpp.c
+++ b/src/isomedia/box_code_3gpp.c
@@ -1025,8 +1025,7 @@ void dimC_box_del(GF_Box *s)
 
 GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
 {
-       char str[1024];
-       u32 i;
+       u32 i, msize;
        GF_DIMSSceneConfigBox *p = (GF_DIMSSceneConfigBox *)s;
 
        ISOM_DECREASE_SIZE(p, 3);
@@ -1037,27 +1036,42 @@ GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
        p->streamType = gf_bs_read_int(bs, 1);
        p->containsRedundant = gf_bs_read_int(bs, 2);
 
+       char *str = gf_malloc(sizeof(char)*(p->size+1));
+       if (!str) return GF_OUT_OF_MEM;
+       msize = p->size;
+       str[msize] = 0;
        i=0;
        str[0]=0;
-       while (i < GF_ARRAY_LENGTH(str)) {
+       while (i < msize) {
                str[i] = gf_bs_read_u8(bs);
                if (!str[i]) break;
                i++;
        }
        ISOM_DECREASE_SIZE(p, i);
+       if (i == msize) {
+               gf_free(str);
+               return GF_ISOM_INVALID_FILE;
+       }
 
        p->textEncoding = gf_strdup(str);
 
        i=0;
        str[0]=0;
-       while (i < GF_ARRAY_LENGTH(str)) {
+       while (i < msize) {
                str[i] = gf_bs_read_u8(bs);
                if (!str[i]) break;
                i++;
        }
        ISOM_DECREASE_SIZE(p, i);
+       if (i == msize) {
+               gf_free(str);
+               return GF_ISOM_INVALID_FILE;
+       }
 
        p->contentEncoding = gf_strdup(str);
+       gf_free(str);
+       if (p->textEncoding || !p->contentEncoding)
+               return GF_OUT_OF_MEM;
        return GF_OK;
 }
 
Unnamed repository; edit this file 'description' to name the repository.